State of OpenClaw 2026: Enterprise Rush Meets Open Security Issues

A detailed enterprise-focused analysis from Big Hat Group paints a vivid picture of OpenClaw at the inflection point between scrappy open-source project and enterprise-grade infrastructure target.

The numbers

OpenClaw crossed 368,000 GitHub stars and 12 million downloads in late May2026. Over 135,000 instances were estimated running in late April. The growth trajectory that took most projects years has been compressed into months.

What changed in May2026

Three trends collided:

  1. Hosted-AI vendors enforcing subscription boundaries — Flat-rate plans that absorbed third-party agent harness traffic in 2024–2025 are being reclassified, surcharged, or refused. Unit economics are forcing tiering across every hosted AI vendor.

  2. Sovereignty and procurement scrutiny tightening — Government warnings about autonomous AI agents issued across Belgium, China, and South Korea. Procurement teams asking where prompts, tool calls, and intermediate artifacts physically reside.

  3. Enterprise-grade hardening arriving — NVIDIA NemoClaw, a hardened OpenClaw fork with NeMo guardrails and OpenShell sandboxes, gives risk-averse buyers something defensible in architecture reviews.

The Anthropic standoff

The biggest community story: Claude Code detecting HERMES.md files (OpenClaw’s agent configuration manifest) and either refusing requests or routing them to a higher-cost billing tier. Users reported cost increases up to 50x. The Hacker News post accumulated 1,336 points and 718 comments in hours.

Anthropic’s Boris Cherny was quoted: “Anthropic’s subscriptions weren’t built for the usage patterns of these third-party tools.”

For enterprises, the read is twofold: optimistic (unit economics forcing tiering everywhere) and defensive (a platform scanning repository contents to identify and surcharge competing tooling users crosses a line).

The Claw Chain shadow

All four Claw Chain CVEs (discovered by Cyera, disclosed in April) have been patched — but the attack surface remains a concern for production deployments. NemoClaw’s governance layer is explicitly designed to address this class of risk, but the fork’s alpha only landed in May.

90-day deployment roadmap

The analysis includes a practical roadmap for enterprises: standardize on v2026.5.22+, rotate API keys, enable sandbox mode, audit skills against known-bad lists, and evaluate NemoClaw for governance-sensitive workloads.

📝 Full analysis at Big Hat Group

← Back to News